SBS - the best value in QMS software

Validation of mobile app and cloud servers for data security

racglobal

Involved In Discussions
#1
Hello everyone,

To ensure the mobile app is securely downloaded from an app store such as Google Play or Apple store, how can a team validate the download is secure from Google Cloud servers? How can these cloud servers be validated? Is it assumed that because it's Google, the download must be secure? Thanks.
 
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
I have no idea, so I asked my IT Director husband. His response: "Google Play and Android apps are not validated by these companies, but Apple validates its apps before making them available."

These apps are publicly contributed and the hosts take no responsibility for them. I would worry more about the app than the cloud servers; reviews can give solid hints. Google is known for pulling apps that get really bad reviews. This is, of course after the fact... the security of your own internet provider and your networks' visibility to others is a different topic altogether.

Therefore, if you want to ensure an Android or Google app is secure, you should first download it onto a segregated unit or drive, test it and then deploy it.

I hope this helps!
 
Last edited:

Marc

Hunkered Down for the Duration with a Mask on...
Staff member
Admin
#3
Jennifer is correct, but... 1st: I'M NOT A SECURITY SPECIALIST. Hopefully someone who is can help with specifics with this one.

There are two aspects here that I can think of off hand:
  1. Security in the sense that whether the app its self is "secure" in how it works (such as no data leaks), and
  2. Security in that there is no MITM (man in the middle) or other data corruption issue that can in any way alter a file (which an "app" is).
Let's say you are just downloading an app. If the app provider provides a checksum for the app, you can verify whether or not the content of the app is exactly what is is supposed to be.
Also see: How to verify the checksum of a downloaded file (pgp, sha, etc.)? for some thoughts.
Microsoft's helper: Download Microsoft File Checksum Integrity Verifier from Official Microsoft Download Center
Windows 10's Built In checker: What Is a Checksum (and Why Should You Care)?

But remember, checksums are somewhat analogous to filesystem "fingerprints"- no two should ever be alike, and any modification to the file should change the checksum. But checksums are unsuitable for any kind of security work:
CRCs cannot be safely relied upon to verify data integrity (that no changes whatsoever have occurred), since it's extremely easy to intentionally change data without modifying its CRC.
That's probably because CRC is a simple algorithm designed for speed - not security. A checksum is really just a specific kind of hash. Steve Friedl's Illustrated Guide to Cryptographic Hashes is an excellent, highly visual introduction to the more general theory behind hashing.

NOTE: If the app was not coded well, or if the coder intentionally puts in malicious code, a check sum is useless.

Now as to the "app" its self. As per Jennifer's husband's response: This is the type of thing that pops up several times a year (or so it seems: 22 apps with 2 million+ Google Play downloads had a malicious backdoor and Google Play apps with as many as 2.6m downloads added devices to botnet are two examples - Now, these are apps available to the public. If you are thinking of making/coding an app and posting it somewhere to be downloaded by specific people this shouldn't be an issue.

NOTE: While Apple is quite good, Apple has also found and withdrawn malicious apps - For example, Apple Lists Top 25 Apps Compromised by XcodeGhost Malware and More malicious apps found in Mac App Store that are stealing user data
I am adding to @Jen Kirley 's response to make clear that validation of software, which "apps" are, you need a security specialist. There are quite a few potential security issues that have to be considered.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#4
We use iOS applications but it uses BLE to communicate with our device. BLUETOOTH SPECIFICATION Version 4.2 discusses the redundancy checks inherent in the BLE specification. That is, in order for the device to work it has to verify the checksum of each packet - that's 100% inspection. From our devices perspective, it is promiscuous and just transmits data without any HIPAA information. I have never been asked about this during an FDA audit or 13485 audits.

Technology is changing all the time. If a hospital changes out their routers or ATT repairs a 4G antennae we dont have to revalidate even though the antennae may be new (if we were using that method). We rely upon the specification to control it. Apple and Android have tight controls over application updates, etc. We regularly validate each new iOS sw update that it works. New router firmware at hospitals? No.
 
#5
There are many possible answers to your question depending what is your question. If your concern is : is the app downloaded from the store is the real app from legitimate source? The checksum is clearly the answer it used on most security critical application to avoid fake malicious version. If your question is about the networks transmission. This clearly depend of who is downloading from where. At the end the solution will probably any way the checksum.
 
Thread starter Similar threads Forum Replies Date
J Mobile Medical Device App Validation Guidance vs. GPSV? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
N Sterilization Protocol Change in Validation Process and further impacts ISO 13485:2016 - Medical Device Quality Management Systems 1
B Oracle Cloud ERP Validation during Quarterly Patch ISO 13485:2016 - Medical Device Quality Management Systems 1
D Software validation team Misc. Quality Assurance and Business Systems Related Topics 3
W LTPD, AQL, Ppk and Cpk validation sampling plan table Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
J Validation Sample Size for Tray Seal Qualification and Validation (including 21 CFR Part 11) 1
F AS9100 - Validation, FAIR's, ITAR and Sub-Contracting AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
R PCBA process validation Qualification and Validation (including 21 CFR Part 11) 2
A ISO 17025 - Methods validation and clients ISO 17025 related Discussions 3
S Sterilization validation after changing sterilization process provider Qualification and Validation (including 21 CFR Part 11) 3
B Sterilization Validation Plan Other Medical Device Related Standards 3
D Test Method Validation Qualification and Validation (including 21 CFR Part 11) 4
T Laboratory Verification after validation ISO 17025 related Discussions 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
D Questions regarding process validation ISO 13485:2016 - Medical Device Quality Management Systems 6
Y We found out we have been using a equipment without validation for past 4 years Quality Manager and Management Related Issues 6
Z Is IQ necessary for laser marking validation? EU Medical Device Regulations 3
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 3
A Validation of Forced Aeration Process ISO 13485:2016 - Medical Device Quality Management Systems 3
E Mentor for Test Method Validation (TMV) Design and Development of Products and Processes 2
M API 4F/7K/8C Design Package Validation Oil and Gas Industry Standards and Regulations 2
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
T Annual Validation as a detection mode on a PFMEA? FMEA and Control Plans 5
B TMV - Selection of TM's for Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
S Forced ServiceNow validation - No change in our current user and functional requirements IT (Information Technology) Service Management 6
P Human Factors / Usability validation in the time of COVID Human Factors and Ergonomics in Engineering 14
C Template for Excel Validation Reliability Analysis - Predictions, Testing and Standards 6
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
P Unrealistic Packaging Validation Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
D Test summary report example for design validation wanted - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
T ISO 13485 - Process validation at critical suppliers ISO 13485:2016 - Medical Device Quality Management Systems 7
K Software Validation for Measurement Tools used in Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
Stoic Manual soldering processes - 100% verifiable, or always requiring validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
P Design verification driven by new equipment. How is this different than process validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S Rees System Validation Qualification and Validation (including 21 CFR Part 11) 1
K PQ validation qualification - Asked to write a PQ protocol ISO 13485:2016 - Medical Device Quality Management Systems 6
Stoic Are any medical device companies using the 2011 FDA process validation guidance instead of GHTF/SG3/N99-10:2004? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
K Old medical devices -> 7.3.7. Design and development validation ISO 13485:2016 - Medical Device Quality Management Systems 1
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
Y Retrospective Validation - Class I device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 10
S High voltage testing - ISO 17025 - 7.2.2 Validation of methods and 7.3 Sampling ISO 17025 related Discussions 3
M Production approval testing - Alternative ideas for Validation Reliability Analysis - Predictions, Testing and Standards 4
M Validation of two nearly identical products Other Medical Device Regulations World-Wide 5
J Requested Validation plan and reports Manufacturing and Related Processes 4
S Validation Records - Very young QMS Qualification and Validation (including 21 CFR Part 11) 2
M Test method validation - Is MSA (MSA1, MSA2, MSA3 and linearity) a good solution? Medical Device and FDA Regulations and Standards News 1
G Devices from IQ, OQ or PQ process to be used for verification, validation and summative? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 8
W ASTM F1929 dye penetration test - Validation for in-house testing ISO 13485:2016 - Medical Device Quality Management Systems 13

Similar threads

Top Bottom